Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system for detecting and mitigating attacks by malware, the system comprising: a protected system, the protected system including a processor and a memory, an operating system executing on the processor, wherein the protected system is associated with a protected storage, the protected storage including a first plurality of files organized in a first file system, and wherein the operating system moderates access to the first plurality of files by system processes executing on the processor; a protecting system, the protecting system including a file system change monitor, a threat analysis module, a storage controller, and a backup storage including a durable storage area including least a second plurality of files mirroring the first plurality of files, and a temporary storage area; wherein the protecting system further includes processor-executable instructions that, when executed by a processor associated with the protecting system: receive notification of a file change event via the file system change monitor; characterize the file change event by the threat analysis module, the characterization including at least two or more of a group selected from file creation, file deletion, file rename, file move, file type change, file entropy change, and file content change; classify, by the threat analysis module, the characteristics of the file change event to determine a malware probability estimate, wherein the malware probability estimate measures the system confidence that the file change resulted from the execution of a malware process; and if the malware probability estimate exceeds a threshold, diverts, by the storage controller, the storage of the file change event to the temporary storage area; wherein the durable storage area is physically distinct from the protected storage.
A system for detecting and mitigating malware attacks monitors file system changes on a protected system to identify suspicious activity. The protected system includes a processor, memory, an operating system, and a protected storage containing a first set of files organized in a file system. The operating system controls access to these files by system processes. A separate protecting system tracks file changes using a file system change monitor and analyzes them with a threat analysis module. The analysis characterizes changes such as file creation, deletion, renaming, moving, type alteration, entropy shifts, or content modifications. The threat analysis module then classifies these characteristics to estimate the probability that the change resulted from malware execution. If the malware probability estimate exceeds a predefined threshold, a storage controller diverts the file change to a temporary storage area within the protecting system’s backup storage. The backup storage also includes a durable storage area that physically mirrors the protected system’s files, ensuring data redundancy. The durable storage is distinct from the protected storage, providing isolation for recovery purposes. The system aims to prevent malicious file modifications from affecting the protected system while preserving evidence for analysis.
2. The system of claim 1 , wherein the durable storage area is physically remote from the protected storage.
The invention relates to a data storage system designed to enhance security by separating sensitive data storage from less secure storage areas. The system includes a protected storage area for storing sensitive information and a durable storage area that holds data for longer-term retention. The durable storage area is physically separated from the protected storage, meaning it is located in a different physical location to reduce the risk of unauthorized access or data compromise. This separation ensures that even if the protected storage is breached, the durable storage remains isolated, maintaining the integrity and security of the stored data. The system may also include mechanisms to manage data transfer between the two storage areas while enforcing strict access controls. By physically isolating the durable storage, the invention aims to mitigate risks associated with centralized storage vulnerabilities, such as unauthorized access, data corruption, or loss due to hardware failure or cyberattacks. This approach is particularly useful in environments where sensitive data, such as financial records, personal information, or proprietary algorithms, must be safeguarded against both internal and external threats.
3. The system of claim 1 , wherein the first plurality of files comprises a subset of operating system files and a subset of user files, and wherein the the malware probability estimate is moved higher as a result of changes to user files than changes to operating system files.
A system for detecting malware by analyzing file changes and estimating infection probability. The system monitors a first set of files, which includes both operating system files and user files. When changes are detected in these files, the system calculates a malware probability estimate. The system adjusts this estimate based on the type of file that was modified, increasing the probability more significantly when changes occur in user files compared to operating system files. This approach prioritizes user file modifications as higher-risk indicators of potential malware activity, while still accounting for changes in system-critical files. The system may use this adjusted probability to trigger alerts, quarantine files, or initiate further security actions. The differentiation in risk assessment between user and system files helps reduce false positives by recognizing that unauthorized changes to user data are more likely to indicate malicious activity than routine system file updates.
4. The system of claim 1 , further comprising agent instructions being executed by the processor on the protected system.
A system for enhancing cybersecurity in a protected computing environment addresses the challenge of detecting and mitigating unauthorized access or malicious activities. The system includes a processor and a memory storing agent instructions that, when executed, perform security monitoring and response functions. The agent instructions enable real-time analysis of system activities, identifying anomalies or suspicious behavior that may indicate a security threat. The system also includes a communication interface for transmitting security alerts or data to a remote monitoring server, facilitating centralized threat detection and response coordination. Additionally, the agent instructions can enforce security policies, such as restricting access to sensitive resources or isolating compromised components, to prevent further damage. The system may also include a user interface for configuring security settings or reviewing threat reports. By integrating these components, the system provides a comprehensive approach to detecting, analyzing, and mitigating cybersecurity threats in real time, improving the overall security posture of the protected computing environment.
5. The system of claim 1 , wherein the protected system further includes a network interface, the protected system being communicably coupled via the network interface to a network, and further comprising a network agent coupled to the network such that the network traffic to the durable storage is observable by the network agent, and wherein the components of the protecting system are remote from the protected system.
The invention relates to a data protection system designed to secure data stored on durable storage within a protected system. The system includes a network interface that allows the protected system to communicate over a network. A network agent is connected to the network, enabling it to monitor network traffic directed to the durable storage. The key aspect of this configuration is that the components responsible for protecting the data are physically separate from the protected system, meaning the protection mechanisms operate remotely rather than locally. This remote arrangement allows for centralized monitoring and management of data security without requiring direct integration into the protected system itself. The network agent's ability to observe traffic to the durable storage ensures that data transfers can be inspected or secured in real time, enhancing protection against unauthorized access or corruption. The system leverages network-level visibility to enforce security policies while maintaining separation between the protected system and the protection infrastructure.
6. The system of claim 5 , wherein the network agent is implemented using one of a proxy and a network tap.
A system for network monitoring and analysis includes a network agent that intercepts and processes network traffic to detect and mitigate security threats. The network agent is implemented using either a proxy or a network tap. A proxy acts as an intermediary between client devices and servers, allowing the system to inspect and modify traffic in real time. A network tap, on the other hand, passively monitors traffic by creating a copy of data packets without interfering with network operations. The system analyzes the intercepted traffic for malicious patterns, such as malware, unauthorized access attempts, or data exfiltration, and applies security policies to block or redirect suspicious traffic. The network agent may also perform encryption, decryption, or protocol translation to ensure compatibility with different network protocols. The system integrates with existing security tools, such as firewalls and intrusion detection systems, to enhance overall network security. By using either a proxy or a network tap, the system provides flexibility in deployment, allowing it to be adapted to different network architectures and security requirements. The system improves threat detection accuracy and reduces response times by analyzing traffic at the network layer, providing a comprehensive solution for protecting against cyber threats.
7. The system of claim 1 , wherein the protected system further comprises a local storage distinct from the protected storage.
The invention relates to a protected system designed to secure sensitive data, comprising a protected storage component for safeguarding information. In addition to this primary storage, the system incorporates a separate local storage unit distinct from the protected storage. This local storage serves as an auxiliary repository, likely intended to enhance data redundancy, improve access speeds, or provide temporary storage for non-sensitive operations. The separation between the protected storage and local storage ensures that critical data remains isolated from less secure or more accessible storage areas, thereby maintaining higher levels of security for sensitive information. The local storage may operate independently or in conjunction with the protected storage, potentially facilitating backup, caching, or intermediate processing tasks without compromising the integrity of the protected data. This dual-storage architecture aims to balance performance and security, ensuring that sensitive operations or data remain shielded while allowing for efficient system operation through the local storage component.
8. The system of claim 7 , wherein the protected storage is remote from the local storage.
The invention relates to a data storage system designed to protect sensitive information by separating protected storage from local storage. The system includes a local storage component where data is initially processed or stored, and a remote protected storage component that holds encrypted or secured copies of the data. This separation ensures that even if the local storage is compromised, the protected data remains secure in a remote location. The remote protected storage may use additional security measures such as encryption, access controls, or redundancy to further safeguard the data. The system may also include mechanisms for securely transferring data between the local and remote storage, such as encrypted communication channels or authentication protocols. This approach addresses the problem of data breaches or unauthorized access by maintaining a secure backup of critical information in a separate, protected environment. The remote storage may be hosted on a different server, cloud platform, or dedicated secure facility, providing an additional layer of protection against local threats like hardware failure, theft, or cyberattacks. The system aims to enhance data security by ensuring that protected information is not solely dependent on the integrity of the local storage environment.
9. A method to protect user data against non-user action using a protecting system, comprising: establishing a baseline probability of non-user action; establishing a first threshold value associated with a high probability of non-user action; capturing an initial state of user data using a protecting system, wherein a substantially identical copy of the user data is stored in a cloud system, the cloud system having a storage including long-term and long-term storage areas; detecting a first attempted change to the user data stored in the cloud system; evaluating the change to the user data prior to storing the first attempted change in the long-term storage area; based on the evaluation of the change to the user data, determining a probability that the first attempted change is the result of non-user action; and determining a response to the change based on the probability and the first threshold value, wherein the response includes a determination as to whether to store the data in the short-term storage area or the long-term storage area.
A system for safeguarding user data from unauthorized modifications by non-users employs a probabilistic approach to assess changes before permanent storage. The method begins by establishing a baseline probability of non-user actions and a first threshold indicating a high likelihood of such actions. Initially, the system captures the user data state and creates a synchronized copy stored in a cloud system, which is divided into short-term and long-term storage areas. When an attempted modification to the cloud-stored data is detected, the system evaluates the change before committing it to long-term storage. The evaluation determines the probability that the change originated from a non-user. Based on this probability and the predefined threshold, the system decides whether to store the modified data in short-term or long-term storage. If the probability exceeds the threshold, the change may be restricted to short-term storage or blocked entirely, preventing unauthorized alterations from being permanently recorded. This approach ensures that only verified user actions result in long-term data retention, enhancing data integrity and security.
10. The method of claim 9 , wherein detecting the first attempted change is implemented using one of a proxy and a network tap communicably coupled between the protected system and the storage in the cloud system.
This invention relates to detecting unauthorized changes to data stored in a cloud system. The problem addressed is the need to monitor and prevent unauthorized modifications to data stored in cloud environments, where traditional security measures may not be sufficient due to the distributed and shared nature of cloud infrastructure. The invention involves a method for detecting unauthorized changes to data in a cloud storage system. A proxy or network tap is placed between a protected system and the cloud storage to monitor data access and modifications. When an unauthorized change is detected, the system can take corrective actions, such as blocking the change or alerting administrators. The method ensures that only authorized modifications are allowed, enhancing data security in cloud environments. The proxy or network tap acts as an intermediary, inspecting all data transactions between the protected system and the cloud storage. It can detect changes by comparing incoming data against expected or authorized modifications. If an unauthorized change is identified, the system can either reject the change or trigger an alert. This approach provides real-time monitoring and protection against unauthorized data alterations, addressing security concerns in cloud-based storage solutions. The method is particularly useful for organizations that rely on cloud storage but require strict control over data integrity and access.
11. The method of claim 9 , wherein detecting the first attempted change of the user data comprises detecting at least one of: deletion of the user data, creation of a new user data, change to the associated file metadata of the user data, change to the entropy in the user data, and and change to content of the user data.
This invention relates to a system for monitoring and detecting changes to user data within a computing environment. The problem addressed is the need to accurately identify various types of modifications to user data, including deletions, creations, metadata changes, entropy changes, and content alterations. The system monitors user data to detect these changes, ensuring comprehensive tracking of data modifications. The method involves analyzing the user data to identify deletions, such as when data is removed from storage. It also detects the creation of new user data, such as when a new file or entry is generated. Additionally, the system tracks changes to associated file metadata, which may include attributes like timestamps, permissions, or ownership details. The method further monitors changes in entropy within the user data, which can indicate alterations in data patterns or randomness. Lastly, it detects modifications to the actual content of the user data, such as edits to text, images, or other file contents. By detecting these various types of changes, the system provides a robust solution for tracking and auditing user data modifications in real-time or near-real-time. This ensures data integrity and security by identifying unauthorized or suspicious activities.
12. The method of claim 9 , wherein capturing the initial state of the user data comprises: capturing a first structure of the user data; capturing a first file type of the user data; and determining a first entropy of the user data.
The invention relates to a data management system that captures and analyzes the initial state of user data to enable efficient processing, storage, or recovery. The system addresses the problem of accurately characterizing user data at its source to support subsequent operations such as backup, encryption, or data integrity verification. The described method involves capturing three key attributes of the user data during its initial state. First, it records the structural organization of the data, such as the arrangement of files, directories, or metadata, to preserve its original format. Second, it identifies the file type or format of the data, which may include extensions, encoding schemes, or application-specific structures. Third, it calculates the entropy of the data, a measure of randomness or information density, which can indicate the presence of compressed, encrypted, or highly structured content. By capturing these attributes—structure, file type, and entropy—the system establishes a baseline profile of the user data. This profile can later be used to detect changes, optimize storage, or ensure compatibility during data restoration or migration. The approach is particularly useful in environments where data integrity and format consistency are critical such as enterprise backup systems, digital forensics, or data lifecycle management platforms.
13. The method of claim 12 , wherein determining the probability based on the first attempted change comprises: determining a second entropy of the user data after the first attempted change; determining a first difference based on the first entropy and the second entropy; determining whether the first difference is higher or lower than an entropy change threshold; in response to the difference being lower than the entropy change threshold: decreasing the probability; and in response to the difference being higher than the entropy change threshold: increasing the probability; determining a second file type of the user data after the first attempted change; determining whether the first file type and the second file type are the same; in response to the first file type and the second file type being the same: decreasing the probability; and in response to the first file type and the second file type being different: increasing the probability; determining a second structure of the user data after the first attempted change; determining a second difference based on the first structure and the second structure; determining whether the second difference is higher or lower than a difference threshold; in response to the difference being lower than the difference threshold: decreasing the probability; and in response to the difference being higher than the difference threshold: increasing the probability.
The invention relates to a probabilistic method for evaluating changes to user data, particularly in data processing or storage systems where modifications to data structures or content require validation. The core problem addressed is determining whether an attempted change to user data should be accepted or rejected based on measurable entropy, file type consistency, and structural differences before and after the change. The method involves calculating the entropy of the user data before and after a first attempted change to assess randomness or information content. A first difference is derived from the change in entropy, which is then compared against an entropy change threshold. If the difference is below the threshold, the probability of accepting the change is decreased; if above, the probability is increased. Additionally, the file type of the user data is checked before and after the change. If the file type remains the same, the probability is decreased; if it changes, the probability is increased. The method further evaluates the structural integrity of the user data by comparing its structure before and after the change to compute a second difference. This difference is compared against a separate threshold. If the structural difference is below the threshold, the probability is decreased; if above, the probability is increased. These combined evaluations dynamically adjust the acceptance probability of the attempted change, ensuring that only modifications meeting certain entropy, type, and structural criteria are probabilistically favored.
14. The method of claim 9 , further comprising: establishing a second threshold associated with a possibility of non-user action, where the second threshold is higher than the baseline probability and lower than the first threshold.
The invention relates to a method for detecting user intent or actions in a system where a baseline probability of non-user action is established. The system sets a first threshold higher than this baseline to determine when a user action is likely. Additionally, a second threshold is introduced, positioned between the baseline probability and the first threshold. This second threshold helps differentiate between ambiguous cases where user action is possible but not certain, allowing for more nuanced decision-making. By using these two thresholds, the system can better distinguish between clear user actions, uncertain scenarios, and non-user actions, improving the accuracy of intent detection. This approach is particularly useful in applications where false positives or false negatives in action detection could lead to inefficiencies or errors, such as in automated control systems or user interface interactions.
15. The method of claim 14 , further comprising applying an exponential decay function to the probability of non-user action, so that, after the probability of non-user action is increased, it will fall to the baseline probability level.
A system for predicting and adjusting user engagement probabilities in digital interfaces uses a probabilistic model to estimate the likelihood of a user taking no action. The method begins by calculating a baseline probability of non-user action, which represents the expected rate of inaction under normal conditions. When user inaction exceeds this baseline, the system detects an anomaly and temporarily increases the probability of non-user action to account for the deviation. To prevent prolonged overestimation, an exponential decay function is then applied to gradually reduce the adjusted probability back to the original baseline level. This ensures that the system adapts to short-term fluctuations in user behavior while maintaining long-term accuracy in engagement predictions. The decay function smooths the transition, avoiding abrupt corrections that could disrupt real-time decision-making processes. The approach is designed to improve the reliability of user engagement models by dynamically correcting for temporary spikes in non-user activity without permanently skewing the baseline probability.
16. The method of claim 14 , wherein a probability score higher than the second threshold but lower than the first threshold will result in the storage of the changed data in the short-term storage area, and wherein the movement of the probability score under the second threshold will result in the migration of the changed data from the short-term storage area to the long-term storage area.
This invention relates to data storage management systems that classify and migrate data based on probability scores. The system addresses the challenge of efficiently managing data storage by dynamically categorizing data into short-term and long-term storage areas based on its relevance or importance over time. The method involves assigning a probability score to changed data, which reflects its likelihood of being accessed or modified in the future. If the score exceeds a first threshold, the data is stored in a primary storage area. If the score falls below a second threshold, the data is migrated to a long-term storage area. When the score is between the two thresholds, the data is stored in a short-term storage area. The system monitors the probability score over time and automatically migrates data from the short-term to the long-term storage area when the score drops below the second threshold. This approach optimizes storage resources by ensuring frequently accessed or critical data remains in high-performance storage while less relevant data is moved to cost-effective long-term storage. The method dynamically adjusts storage allocation based on real-time data usage patterns, improving efficiency and reducing operational costs.
17. The method of claim 9 , further comprising a secondary evaluation evaluating factors other than a change in entropy, a change in file type, and a change in similarity, and modifying the probability based on the secondary evaluation.
The invention relates to a method for assessing changes in data or files by evaluating multiple factors to determine a probability metric. The core process involves detecting changes in entropy, file type, and similarity between versions of a file or dataset. These primary evaluations are used to compute an initial probability indicating the likelihood of a significant alteration or anomaly. In addition to these primary evaluations, the method includes a secondary evaluation step that considers additional factors beyond entropy changes, file type modifications, and similarity comparisons. This secondary assessment further refines the probability metric by incorporating supplementary criteria that may influence the overall assessment of the file or data change. The secondary evaluation may involve analyzing metadata, behavioral patterns, contextual information, or other relevant parameters that provide deeper insight into the nature of the change. The final probability is then adjusted based on the results of this secondary evaluation, enhancing the accuracy and reliability of the assessment. The method aims to provide a more comprehensive and nuanced evaluation of file or data changes by combining multiple analytical perspectives.
18. A system for detecting and mitigating attacks by malware, the system comprising: a protected system, the protected system including a processor and a memory, an operating system executing on the processor, wherein the protected system is associated with a protected storage, the protected storage including a first plurality of files organized in a first file system, and wherein the operating system moderates access to the first plurality of files by system processes executing on the processor; a protecting system, the protecting system including a file system change monitor, a threat analysis module, a storage controller, and a backup storage including a durable storage area including least a second plurality of files mirroring the first plurality of files, and a temporary storage area; wherein all components of the protecting system are physically distinct from the components of the protected system; and wherein the protecting system includes a component communicably interposed between the protected system and the protected storage; and wherein the protecting system updates the second plurality of files in a manner consistent with the updates to the first plurality of files, without affecting the operation of the protected system.
The invention relates to cybersecurity, specifically a system designed to detect and mitigate malware attacks targeting a protected computer system. The system comprises two physically separate components: a protected system and a protecting system. The protected system includes a processor, memory, an operating system, and a protected storage containing a primary set of files organized in a file system. The operating system controls access to these files by system processes running on the processor. The protecting system consists of several modules: a file system change monitor, a threat analysis module, a storage controller, and a backup storage. The backup storage contains a durable storage area with a mirrored copy of the primary files and a temporary storage area. The protecting system is interposed between the protected system and its storage, allowing it to observe and intercept file system changes without disrupting the protected system's operation. It monitors changes to the primary files, analyzes them for potential threats, and updates the mirrored files in the backup storage accordingly. This ensures real-time protection while maintaining system performance and integrity. The separation of the protecting system from the protected system enhances security by isolating critical monitoring and mitigation functions from potential malware compromise.
19. The system or claim 18 , wherein the component communicably interposed between the protecting and the protected system is implemented as one of a proxy or a network tap.
A system for enhancing cybersecurity in networked environments addresses the challenge of protecting sensitive systems from unauthorized access and attacks. The system includes a component that acts as an intermediary between a protected system and a potentially vulnerable or exposed system. This intermediary component monitors, filters, or modifies network traffic to prevent malicious activity from reaching the protected system. The component can be implemented as either a proxy or a network tap. A proxy actively intercepts and relays communications between the systems, allowing for inspection and modification of traffic. A network tap passively monitors traffic by creating a copy of network data without altering the original flow, enabling real-time analysis without disrupting operations. The system ensures that the protected system remains isolated from direct exposure to threats while maintaining secure communication channels. This approach enhances security by providing an additional layer of defense against cyber threats, such as malware, unauthorized access, or data breaches. The solution is particularly useful in environments where sensitive data or critical infrastructure requires robust protection.
20. The system of claim 18 wherein the second plurality of files are stored in a cloud storage system.
The invention relates to a data management system designed to improve the organization and retrieval of files within a distributed computing environment. The system addresses the challenge of efficiently managing and accessing large volumes of files across multiple storage locations, particularly in scenarios where files are distributed across different storage systems, including cloud storage. The system includes a primary storage system that stores a first plurality of files and a secondary storage system that stores a second plurality of files. The secondary storage system is configured to store files in a cloud storage system, enabling scalable and remote access to data. The system further includes a metadata management module that tracks metadata associated with the files stored in both the primary and secondary storage systems. This metadata includes information such as file location, access permissions, and file attributes, allowing for efficient file retrieval and management. Additionally, the system includes a synchronization module that ensures consistency between the primary and secondary storage systems by synchronizing file updates and metadata changes. This synchronization process helps maintain data integrity and ensures that users can access the most recent versions of files regardless of their storage location. The system also includes a user interface that provides users with a unified view of files across both storage systems, simplifying file management and retrieval. By integrating cloud storage into the secondary storage system, the invention enhances data accessibility and scalability while maintaining data consistency and security. This approach is particularly useful in environments where files are distributed across multiple storage systems,
Unknown
April 28, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.